Reverse Engineering Stack Exchange is a question and answer site for researchers and developers who explore the principles of a system through analysis of its structure, function, and operation. It's 100% free, no registration required.

So 0 would mean char? yet it's a pointer to a char (4 bytes)?, Probably shouldn't touch those
The 4 after would be int which seems right.
The 16 after looks like 2 x 8 bytes.
Since time_t could be 4 bytes or 8 bytes.

I checked and time_t is defined as

-00016080 var_16080 dd 6 dup(?) ; offset

So it thinks it's 4 bytes x 6 which would be 24 bytes? why does it think that? Yes I get that var_16080 when I click on the time_t

So this is where I get confused I think it's really 8 bytes and all I have to do is make it time_t v374[2]

1 Answer
1

I'm not sure that it is possible to answer this question without seeing all the function because correctness of local variable type recovery can be done only by understanding of the context where variables are used.

However, I'd suggest the following algorithm for dealing with local variables
in Hex-Rays:

As your friend said, do nothing with variables allocated on the registers.

For all other variables allocated on the stack, do the following:

Look where this variable is used.

If you see one of patterns below, act accordingly, but press F5 after each change and review results. Remember, you can revert each type back by pressing Y and entering previous type on it.

If you see usage of some different offsets relative to this variable it may be a structure. Try to create one by right-click on the variable and choosing corresponding menu item. Usage of this variable as function parameter or other connections to already known types may give you a hint about type of the variable.

If you see not constant offsets (such as offset in another variable) it can be array. Press asterisk (*) on the variable, IDA will suggest the length of the array, it does it relatively good.

If you see both of those patterns, it is possibly array of structures or more complicated case like array of structures in structure which is member of array and vice versa :) In this case try to find a smallest structure/array and start with it.

At all, there are the following possibilities to affect the function stack in Hex-Rays:

Changing variable type (press y on the variable, enter type)

Making variable an array (press * on it)

Creating new structure
type on a variable basis (Right click on the variable, corresponding
menu item)

Undefining a variable: Doubleclick on stack variable
will open stack function stack window. Pressing u on a variable will
undefine it.

Merging a variable: if you see that two different
variables are actually the same you can press = and tell to the
decompiler that they are really the same. AFAIR it works in IDA 6.5
and IDA6.5

Don't forget to refresh the decompiled code view by pressing F5 after each change to see results.

That's all.

By the way, there is one point you are probably missing:
IDA and HexRays can make more than one variable on the same place in stack,
so v369, v370, v371, v372, v373 are using same place in the stack, but are different variables from decompiled code point of view.

Yup I eliminated a bunch of those v369, v370 v371 v372 v373 since it's just one array. I found the last gap in the [sp+###h] to be exactly 80000 bytes and I made it into a array. It's almost all right except for like a5[] seems to be pointer to a structure but in other area's it's set to value 1 casted to pointer which is not possible. Don't think I need to Press F5 everytime I change a variable it automatically re-decompiles it. Also guessing these local variables lead me to redo the project over at one point as it started to overwrite my rdata. Here full code: pastebin.com/4HdT0hdk
–
SSpokeApr 22 '14 at 5:47

Here is my project too, mediafire.com/?qnqb00q4yk4kq6v maybe you can run it under the 6.5 and give me the C file haha so I could use it as a reference sheet. I started fixing the C file in notepad not relying on IDA PRO which changes the stuff all over the place which I like but sometimes it just doesn't do right in one area after you do it right in another area kinda like one screws up the other nearly all the problems I encountered in this function ChatProcesser() the other is in the PlayerHandleGamePacket(). Now error 414850: could not find valid save-restore pair for edi
–
SSpokeApr 22 '14 at 5:53